Vulnerable WordPress Plugins Report for the Week of July 28, 2017

Vulnerable Plugins

It was a busy week while I was away. Twenty disclosures, with eleven issues unfixed. In concerns to both Formcraft Form Builder, and Ultimate Affiliate Pro, since they are paid plugins, I do not have access to the source code in order to verify the disclosures. In addition, I’m assuming the vulnerabilities still remain since the last versions publicly listed match the vulnerable versions indicated in the PacketStorm posts.

The other vulnerability I want to highlight is the Arbitrary File Upload vulnerability in the WooCommerce Catalog Enquiry plugin. This vulnerability was initially disclosed back in April. At the time, the plugin was removed from the public repository. The author has since released a fix, but the fix doesn’t entirely resolve the issue. Unfortunately, they are relying on the reported file type ($_FILES[‘fileupload’][‘type’]) but this value isn’t reliable as it is set by the browser and can therefore be altered. To the author’s credit, they are now adding mt_rand to the file name and are now storing it in the system temp directory. This does makes the uploaded file less accessible but unfortunately doesn’t truly restrict the file types being uploaded. This vulnerability could be combined with a Local File Inclusion vulnerability to regain access to the uploaded files. In addition, it appears that the script allows unauthorized users to generate an email and will attach the uploaded files to the email it generates, meaning an attacker could upload a payload for outlook and have the script email it to the victim.